The party is ON! Join us at TNW Conference 2021 in Amsterdam for face-to-face business!

The heart of tech

This article was published on November 19, 2013

Google extends its proactive Patch Reward Program to include Android Open Source Project, Web servers, and more

Google extends its proactive Patch Reward Program to include Android Open Source Project, Web servers, and more
Emil Protalinski
Story by

Emil Protalinski

Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, incl Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, TechSpot, ZDNet, and CNET. Stay in touch via Facebook, Twitter, and Google+.

Google today extended its proactive Patch Reward Program to include even more open-source software (OSS). Among them is the Android Open Source Project, which the company previously did not reveal was going to be added.

Last month, Google started providing financial incentives (between $500 and $3,133.70) for proactive improvements to OSS that go beyond merely fixing a known security bug. Google said at the time it would be rolling out the program gradually, and hinted that more project types would be on the way.

Less than six weeks later, the company has added the following:

  • All the open-source components of Android: Android Open Source Project.
  • Widely used Web servers: Apache httpd, lighttpd, nginx.
  • Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot.
  • Virtual private networking: OpenVPN.
  • Network time: University of Delaware NTPD.
  • Additional core libraries: Mozilla NSS, libxml2.
  • Toolchain security improvements for GCC, binutils, and llvm.

These additions join the following five project types with which Google launched its program in October:

  • Core infrastructure network services: OpenSSH, BIND, ISC DHCP.
  • Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib.
  • Open-source foundations of Google Chrome: Chromium, Blink.
  • Other high-impact libraries: OpenSSL, zlib.
  • Security-critical, commonly used components of the Linux kernel (including KVM).

Interestingly, Google at launch said it would eventually add support for widely used Web servers, popular SMTP services, toolchain security improvements, and virtual private networking. Android, network time, and additional core libraries were not mentioned explicitly last month, but were added today nevertheless, suggesting that the program is off to a solid start.

We noted at the time that Google is essentially expanding its Vulnerability Reward Program to the world of OSS in the hopes of improving the security of key third-party software critical to the health of the entire Internet. In fact, Google today once again reiterated its plan: “The goal is very simple: to recognize and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire Internet.”

With the addition of Android, however, it looks like Google is already blurring what it means by “third-party.” The company also didn’t elaborate how exactly its mobile operating system is vital to the health of the Internet.

Top Image Credit: Johannes Eisele/Getty Images

Also tagged with